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Abstract. The XCRUSH family of non-Feistel, ARX block ciphers is designed 
to make efficient use of modern 64-bit general-purpose processors using a small 
number of encryption rounds which are simple to implement in software. The 
avalanche function, which applies one data-dependent, key-dependent rotation 
per 64-bit word of plaintext per round, allows XCRUSH to produce an almost 
totally diffuse 256-bit block after just the first two rounds. Designed for speed 
in software, the reference implementation for 3-round XCRUSH is measured at 
~7.3 cycles/byte single-threaded on an Intel Haswell processor. A deterministic 
random bit generator, constructed using the avalanche function, serves as a key 
scheduling algorithm. No security claims are made in this paper. 
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1 Introduction 

This author was originally inspired to create a new block cipher more efficient 
than Rijndael^ in software run on modern general-purpose processors. The 
idea was to use 64-bit XOR, add, and rotate operations instead of lookup ta¬ 
bles which work with only eight or sometimes 16 bits at a time, thinking that 
perhaps the technique was without precedent. Had it been, this cipher would 
likely have been called Czar or Tsar, a play on the letters XAR, meaning XOR, 
Add, Rotate. 

In experimenting with rotations of a 256-bit block using eight bits of key to 
determine the rotation distance, it became obvious that key-dependent rota¬ 
tions were just as ineffective as fixed rotations for achieving diffusion quickly. 
Subsequently and by default, data-dependent rotations came to be the tool of 
choice. 

XCRUSH has a hxed block length of 256 bits and supports key sizes of 128, 

The algorithms presented in this paper are free from any intellectual property restrictions. 
This release does not constitute an endorsement of these algorithms for official use. 
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192, and 256 bits. Developed uninfluenced by any prior work involving data- 
dependent rotations, the techniques presented in this paper are the result of this 
author’s attempts to achieve fast diffusion in software with 64-bit arithmetic. 


Table 1. Notation 


Notation 

Description 

x + y 

addition of x and y modulo 2 " 

X * y 

multiplication of x and y modulo 2 ” 

x®y 

bitwise XOR of x and y 

X Ay 

bitwise AND of x and y 

X ^ i 

right shift of a; by f bits 

X i 

left rotation of a; by f bits 


2 Description 

2.1 Algorithm 

Let P = (Pi, P 2713 , ^ 4 ) and C = (Ci, (72, C 3 , ( 74 ) be the 256-bit plaintext and 
ciphertext respectively where Pi and Ci are 64-bit words. Let SKj be the 64-bit 
subkey for j = 1,..., 16. Then, the encryption process can be formulated as in 
Algorithm 1. 


Algorithm 1 The Encryption Process of XCRUSH 


(Ti, T2, Pa, T4) = P = (Pi, P2, P3, P4) 

SK = {SKi,SK2,...,SKie) 
for f = 0 to 2 do 

j = I * 4 

(PAi, PA2, PA3, RKi) = iSK,+i,SK,+2, SK,+ 3 , SKj+4) 

Ti = A(ri, T 2 +T 3 +T 4 + PAi) 

T 2 = A(T 2 , Ti + Ta + T 4 + RK^) 

T 3 = A(T3, Ti + r 2 + T 4 + RKs) 

Ti = A{Ti, T1+T2+T3 + RKi) 

end for 

{Cl, C2, C3, C4) = (Ti 0 SKi3, T2 0 SKii, T3 0 SKi 3, Ti 0 S'A'ig) 


A-Function A-Function is a keyed avalanche function that provides both 
confusion and diffusion. (7-Function returns an integer on interval [0,63] which 
is used as the bitwise leftward rotation distance. A-Function is used in the en¬ 
cryption process and as part of the key expansion. Where X and A are 64-bit 
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words, ^-Function can be formulated as in Algorithm 2. 


Algorithm 2 A-Function 

A{X,A) = {Y) 

Y = {x +A) <m: C{A) 


C'-Function C-Function is a chaotic compression designed to produce a large 
set of 6 -bit values when applied to a set of very similar inputs. Where A is a 
64-bit word, C'-Function can be formulated as in Algorithm 3. 


Algorithm 3 C-Function 


C{X) = (F) 

A = (A > 32) -h A 
A = (A >11)0 A 
A = (A > 9) 0 A 
A = (A > 6 ) 0 A 
F = A A 0x3/ 


2.2 Key Expansion 

The 16 64-bit subkeys necessary for the encryption process are generated by 
seeding a pseudorandom number generator with the encryption key. Let the en¬ 
cryption key K be equal to {Ki,K 2 ), (Ai, A 2 , A 3 ), and (Ai, A 2 , A 3 , A 4 ) for key 
lengths 128, 192, and 256 bits respectively, where each A^ is a 64-bit word. Let 
the 320-bit PRNG seed S = {Si, S 2 , S 3 , S 4 , S 5 ) be equal to (Ai, A 2 , C, C, C), 
(Ai, A 2 , A 3 , C, C), and (Ai, A 2 , A 3 , A 4 , C) for key lengths 128, 192, and 256 
bits respectively, where C = 4142135623730950488 and Si, Ki, and C are 64-bit 
words. Then, the key expansion can be formulated as in Algorithm 4. 


Algorithm 4 The Key Expansion Algorithm 


for i = 1 to 10 do 
{Y,S)=N{S) 

end for 

SK = {SKi,SK2,...,SKi3) 
for i = 1 to 16 do 
{Y,S)=N{S) 

SK,=Y 

end for 
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Algorithm 5 A-Function is a pseudorandom number generator with 320 bits 
of state. A-Function uses the avalanche function to generate a series of 64-bit 
outputs. 


N{S) = {Y,S) 

S=iSuS2,S3,Si,S5) 

T=S2 

82 = 83 

83 = 84 

84 = 85 

85 = 81 

Y=S 4 =A{S 4 , 84 +T) 

8=184,82,83,84,85) 


3 Design Rationale 

3.1 Algorithm 

By making the addition to, but more importantly the bitwise rotation of each 
64-bit word of plaintext dependent on the other three words in the plaintext 
block, and by allowing the output of one avalanche operation to feed into the 
next, we can ensure that a small change in the plaintext block will tend to result 
in a very large change in the output block after each round. 

Given this construction, it appeared natural to simply add a 64-bit word of 
key material to the sum of the three words of plaintext going into the avalanche 
function. In this way, confusion and diffusion are achieved efficiently and simul¬ 
taneously. 

Finally, as key whitening, the block is XORed with the final 256 bits of subkey 
in order to obscure all the inputs into the final invokations of the avalanche 
function. 

3.2 Key Expansion 

The key expansion is accomplished by seeding a deterministic random bit gen¬ 
erator (PRNG) with the encryption key to produce the subkeys used in the 
encryption process. The PRNG used is based on xorshift generators]!] and is 
chosen for speed and simplicity of implementation. 

The complex one-way nature of the key expansion is intended to make it difficult 
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for an attacker to use information about a subkey to recover infomation about 
the other subkeys or about the master key. Additionally, the PRNG method of 
subkey derivation, by which a stream of subkeys is dependent on all the bits of 
the master key, is intended to mitigate related-key attacks. 

The constant C, namely the leading decimal digits of the fractional part of 
the square root of two, is arbitrarily chosen to ensure that the PRNG is not 
seeded with all zeros. 

Note that, regardless of key size, XCRUSH is composed of three avalanche 
rounds and a key-whitening XOR. 


4 Concluding Remarks 

XCRUSH is an ambitious attempt at creating an unconventional family of block 
ciphers which may or may not lend itself well to traditional cryptanalysis. It is 
the hope of this author that it may serve to advance the field of cryptography 
in its own way. 
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Figure 1: A round of XCRUSH. 


















































































Figure 2: The avalanche function. 


7 













































Appendices 

A Test Vectors 
A.l XCRUSH-128 

KEY: 

1599D14129204267 E4C91210F1C15541 
PLAINTEXT: 

9338192346089EEE 965D12810033DDF0 
CIPHERTEXT: 

2AC5C0D9B62355A2 9DEFB4F22A3D6DBF 

A.2 XCRUSH-192 

KEY: 

4211121041C35A31 E4E4961BB81941BA 
PLAINTEXT: 

4440306090522AB0 3I249688284691DF 
CIPHERTEXT: 

2FEFD4I974AFDD44 15BA6339E5C03563 

A.3 XCRUSH-256 

KEY: 

F0E0D0C0B0A09080 7060504030201000 
PLAINTEXT: 

311D411620304361 48165C7790022614 
CIPHERTEXT: 

000947604A76E469 E34346B03745CAC9 


434C5669E9E31202 86416B3296055DCI 
CC1826IB50072FBC CCB953C4947A6C39 

CC982462I95662AA 

4C15654900DBIAI9 I9A0FF64I35229D2 
42BA28CF3IB5F400 CCD58FC905686D9F 

FID3B597795B3DIF 02I346578A9BCEDF 
9536295B87012640 396218842A490866 
244D96ACC783C42B 95406757BE5653D9 



B Reference Implementation 

/* 

The C reference implementation of the 
block cipher family XCRUSH. 

This software is released into the public domain. 

#include <stdio.h> 

#define BLOCK_LENGTH_LONGS 4 
#define KEY_LEN_128_B1TS 2 
#define KEY_LEN_192_B1TS 3 
#define KEY_LEN_256_B1TS 4 
#define NUM_SUBKEYS 16 
#define C 4142135623730950488L 
#define L0NG_LDNG_S1ZE 64 

int compress(unsigned long long x) { 

X = (x >> 32) + x; 

X = (x >> 11) ~ x; 

X = (x >> 9) + x; 

return ((x » 6) + x) & 0x3f; 

} 

long long avalanche(unsigned long long v, unsigned long long a) { 

V += a; 

const int shiftAmount = compress(a); 

/* ROTATE LEFT */ 

return (v << shiftAmount) I (v >> (L0NG_L0NG_S1ZE - shiftAmount)); 

} 

long long unavalctnche(unsigned long long v, unsigned long long a) { 
const int shiftAmount = compress(a); 

/* ROTATE RIGHT */ 

V = (v >> shiftAmount) I (v << (L0NG_L0NG_S1ZE - shiftAmount)); 
return v - a; 

} 

void _encrypt(unsigned long long plaintext[], int offset, int length, 
unsigned long long subkeys[16]) { 

const long _0 = subkeys[0]; 

const long_1 = subkeys [1]; 

const long_2 = subkeys [2]; 
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const long 
const long 
const long 
const long 
const long 
const long 
const long 
const long 
const long 

const long 
const long 
const long 
const long 


subkeys[3]; 
subkeys[4] ; 
subkeys[5] ; 
subkeys[6] ; 
subkeys[7] ; 
subkeys[8] ; 
subkeys[9] ; 
subkeys[10] ; 
subkeys[11] ; 

subkeys[12] ; 
subkeys[13] ; 
subkeys[14] ; 
subkeys[15] ; 


__3 = 
__4 = 
__5 = 
__6 = 
__7 = 
__8 = 
__9 = 
_10 = 
_11 = 

_12 = 
_13 = 
_14 = 
_15 = 


const int end = offset + length; 


int one_, two_, three_; 


long a_, b_, c_, d_, temp; 

// for each block 

for ( ; offset < end; offset += BLDCK_LENGTH_LONGS) { 


one_ = offset + 1; 

two_ = offset + 2; 

three_ = offset + 3; 


a_ = plaintext[offset] 

b_ = plaintext[one_] 

c_ = plaintext[two_] 

d_ = plaintext[three_] 


/* round 1 */ 
temp = c_ + d_; 
a_ = avalanche(a_, 
b_ = avalanche(b_, 
temp = a_ + b_; 
c_ = avalanche(c_, 
d_ = avalanche(d_, 

/* round 2 */ 
temp = c_ + d_; 
a_ = avalanche(a_, 
b_ = avalanche(b_, 
temp = a_ + b_; 


temp + b_ + _0); 

temp + a_ + _1); 

temp + d_ + _2); 

temp + c_ + _3); 


temp + b_ + _4); 

temp + a_ + _5); 
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c_ = avalanche(c_, temp + d_ + _6); 

d_ = avalanche(d_, temp + c_ + _7); 

/* round 3 */ 
temp = c_ + d_; 

a_ = avalanche(a_, temp + b_ + _8); 

b_ = avalanche(b_, temp + a_ + _9); 

temp = a_ + b_; 

c_ = avalanche(c_, temp + d_ + _10); 

d_ = avalanche(d_, temp + c_ + _11); 

plaintext[offset] = a_ " _12; 

plaintext[one_] = b_ ~ _13; 

plaintext[two_] = c_ " _14; 

plaintext[three_] = d_ " _15; 

} 

} 


void decrypt(unsigned long long ciphertext [], int offset, 
int length, unsigned long long subkeys[16]) { 


const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 

const 

long 


subkeys[0]; 
subkeys[1]; 
subkeys[2]; 
subkeys[3] ; 
subkeys[4] ; 
subkeys[5] ; 
subkeys[6] ; 
subkeys[7] ; 
subkeys[8] ; 
subkeys[9] ; 
subkeys[10] ; 
subkeys[11] ; 

subkeys[12] ; 
subkeys[13] ; 
subkeys[14] ; 
subkeys[15] ; 


__0 = 
__1 = 
__2 = 
__3 = 
__4 = 
__5 = 
__6 = 
__7 = 
__8 = 
__9 = 
_10 = 
_11 = 

_12 = 
_13 = 
_14 = 
_15 = 


const int end = offset + length; 


int one_, two_, three_; 


long a_, b_, c_, d_, temp; 

for ( ; offset < end; offset += BLDCK_LENGTH_LONGS) { 
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one_ = offset + 1; 

two_ = offset + 2; 

three_ = offset + 3; 

a_ = ciphertext[offset] ~ _12; 

b_ = ciphertext [one_] ~ _13; 

c_ = ciphertext [two_] ~ _14; 

d_ = ciphertext [three_] ~ _15; 

temp = a_ + b_; 

d_ = unavalanche(d_, temp + c_ + _11); 

c_ = unavalanche(c_, temp + d_ + _10); 

temp = c_ + d_; 

b_ = unavalanche(b_, temp + a_ + _9); 

a_ = unavalanche(a_, temp + b_ + _8); 

temp = a_ + b_; 

d_ = unavalanche(d_, temp + c_ + _7); 

c_ = unavalanche(c_, temp + d_ + _6); 

temp = c_ + d_; 

b_ = unavalanche(b_, temp + a_ + _5); 

a_ = unavalanche(a_, temp + b_ + _4); 

temp = a_ + b_; 

d_ = unavalanche(d_, temp + c_ + _3); 

c_ = unavalanche(c_, temp + d_ + _2); 

temp = c_ + d_; 

b_ = unavalanche(b_, temp + a_ + 1); 

a_ = unavalanche(a_, temp + b_ + 0); 

ciphertext [offset] = a_; 

ciphertext[one_] = b_; 

ciphertext [two_] = c_; 

ciphertext [three_] = d_; 

} 

} 

long long S_l, S_2, S_3, S_4, S_5; 

long long nextO { 

long long t = S_2; 

S_2 = S_3; 

S_3 = S_4; 

S_4 = S_5; 

S_5 = S_l; 


12 





S_1 = avalanche(S_l, S_1 + t); 
return S_l; 


void expand_key(unsigned long long key[], int keyLen, 
unsigned long long subkeybuf[NUM_SUBKEYS]) { 
switch (keyLen) { 
case KEY_LEN_128_B1TS: 

S_1 = key[0]; 

S_2 = key[l]; 

S_3 = C; 

S_4 = C; 

S_5 = C; 
break; 

case KEY_LEN_192_B1TS: 

S_1 = key[0]; 

S_2 = key[l] ; 

S_3 = key[2]; 

S_4 = C; 

S_5 = C; 
break; 

case KEY_LEN_256_B1TS: 

S_1 = key[0]; 

S_2 = key[l] ; 

S_3 = key[2]; 

S_4 = key [3]; 

S_5 = C; 
break; 
default: 
break; 

} 

for(int i = 0; i < 10; i++) { 
next 0 ; 

} 

for(int i = 0; i < NUM_SUBKEYS; i++) { 
subkeybuf [i] = nextO; 

} 

} 

int main(int argc, const char * argv[]) { 

const int keyLen = KEY_LEN_256_B1TS; 

unsigned long long key[keyLen] = { 
0xF0E0D0C0B0A09080L, 
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0x7060504030201000L, 
0xFlD3B597795B3DlFL, 
0x021346578A9BCEDFL 

>; 

const int dataLen = 4; 

unsigned long long data[dataLen] = { 
0x311d411620304361L, 
0x48165c7790022614L, 
0x9536295b87012640L, 
0x396218842a490866L 

>; 

unsigned long long subkeys[NUM_SUBKEYS] 

expand_key(key, keyLen, subkeys); 

for(int i = 0; i < dataLen; i++) { 
printf("7o#llx ", data[i]); 

} 

printf("\n"); 

_encrypt(data, 0, dataLen, subkeys); 

for(int i = 0; i < dataLen; i++) { 
printf("7o#llx ", data[i]); 

} 

printf("\n"); 

decrypt(data, 0, dataLen, subkeys); 

for(int i = 0; i < dataLen; i++) { 
printf("“/ottllx ", data[i]); 

>; 

return 0; 
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